Privacy Policy

1. Who we are

MoldLean is a SaaS dental mould optimization service operated by Armenta & Marquez Dental Technologies (“MoldLean”, “we”, “us”, “our”), a company organized under the laws of Mexico with its principal place of business in Mexico (exact address TBD). For EU-based data subjects we will designate an EU representative under Article 27 of the GDPR (TBD).

For any privacy-related inquiry contact us at:

• Email: privacy@moldlean.com
• Postal: Armenta & Marquez Dental Technologies — Attn: Privacy Office (address TBD)
• EU representative: TBD
• Data Protection Officer: TBD (point of contact: privacy@moldlean.com)

This Privacy Policy explains how we collect, use, store, share and protect personal data when you use our website (moldlean.com), our application (app.moldlean.com) and our related services (collectively, the “Service”).

2. Data we collect

2.1 Account information

• Full name
• Work email address
• Hashed password (PBKDF2-SHA256, 200,000 iterations — never stored in clear text)
• Organization name (optional)
• Phone number (optional)
• Profile photo (optional)
• Preferred language and timezone
• Two-factor authentication secret (optional, stored encrypted)

2.2 Payment metadata

We use Paddle.com Market Ltd as Merchant of Record. We do not store full card numbers or banking credentials. We receive from Paddle: last four digits of the payment instrument, card brand, country of issue, billing name and address, tax ID (if provided), Paddle transaction identifiers, invoice amount, currency and tax breakdown.

2.3 Technical and usage data

• IP address (truncated for analytics; retained full for security logs)
• User agent / browser fingerprint
• Session identifiers
• Audit log entries (login, logout, role changes, sensitive actions)
• Application error reports (via Sentry)

2.4 Uploaded files

When you upload a ZIP containing STL/PTS files we temporarily store those files in our object storage (Cloudflare R2) for processing. These files may contain 3D scan geometry of dental moulds, filenames you provided (which may include case identifiers), and file metadata. Important: uploaded files are deleted automatically 72 hours after processing completion. See section 6.

2.5 Communications

If you contact our support or sales team we keep the email thread, your message and any attachments for the duration of the ticket plus 1 year for quality and training purposes.

3. Legal basis for processing (GDPR Art. 6)

For processing of any data that may qualify as Protected Health Information (PHI) under HIPAA, we additionally require an executed Business Associate Agreement (BAA) and activation of the HIPAA tier for your organization. We will not knowingly process PHI without both in place. See section 9.

4. Sub-processors

The authoritative live list is published at /legal/sub-processors.

We will give Customers at least 30 days notice before engaging any new sub-processor. Subscribe at subprocessors@moldlean.com to be notified.

5. International transfers

When personal data is transferred from the EEA, UK or Switzerland to a third country that has not been recognized as providing adequate protection (in particular the United States), we rely on:

• EU Standard Contractual Clauses (2021/914/EU), incorporated by reference in our DPA and in each sub-processor agreement.
• For US-based sub-processors, the EU-US Data Privacy Framework (DPF) where the sub-processor is certified.
• The UK International Data Transfer Addendum for UK transfers.
• The Swiss FDPIC adjustments where applicable.

We perform a Transfer Impact Assessment (TIA) for each non-adequate transfer.

6. Retention periods

7. Your rights (GDPR Articles 15–22)

• Access (Art. 15): request a copy of your personal data. We respond within 30 days.
• Rectification (Art. 16): ask us to correct inaccurate data. Most fields can be corrected in Account → Profile.
• Erasure (Art. 17): ask us to delete your data, except items we must retain by law (invoices, audit logs).
• Restriction (Art. 18): limit processing while a dispute is being resolved.
• Portability (Art. 20): receive your data as JSON.
• Object (Art. 21): object to legitimate-interest processing, including profiling.
• Withdraw consent for any processing based on consent.
• Lodge a complaint with a supervisory authority.

Email privacy@moldlean.com or use the self-service tools in Account → Privacy. We may need to verify your identity.

8. Children's data

The Service is a B2B tool for dental professionals. It is not directed at children under 16 and we do not knowingly collect personal data from children. Customer Content may contain scan data from minors who are patients of our Customers; in that case the Customer is controller and is responsible under Article 8 GDPR, while MoldLean acts as processor under the DPA.

9. HIPAA tier (US medical Customers)

By default the Service is not configured to process PHI under HIPAA. US Customers acting as Covered Entities or Business Associates must request activation of the HIPAA tier, execute our Business Associate Agreement, and route traffic through the HIPAA-enabled processing endpoint.

10. Cookies and similar technologies

We use a strict minimum: an essential session token in localStorage and a CSRF cookie. We do not use third-party analytics, advertising or tracking cookies in the MVP. See the full Cookie Policy.

11. Security

• In transit: TLS 1.3, HSTS, certificate transparency monitoring.
• At rest: AES-256-GCM encryption of object storage and database volumes.
• Passwords: PBKDF2-SHA256 with 200,000 iterations and per-account salt.
• Two-factor authentication (TOTP) available; required for admin roles.
• Audit logging of admin actions, role changes and sensitive operations.
• Principle of least privilege for staff access, reviewed quarterly.
• Backup encryption and quarterly restore drills.
• Documented incident response plan with defined severity levels.

12. Personal data breach notification

• Supervisory authority: within 72 hours of becoming aware (Art. 33), unless unlikely to result in risk.
• Affected data subjects: without undue delay when high risk exists (Art. 34).
• HIPAA-tier Customers: within 24 hours per the executed BAA.

13. Marketing communications

Transactional emails are sent on the basis of contract performance and cannot be opted out of while the account is active. Marketing emails are sent only with explicit opt-in and include a one-click unsubscribe link.

14. Changes to this Policy

For material adverse changes we will give at least 30 days notice by email and in-app banner. The Effective and Last reviewed dates at the top of this page indicate the current version.

15. Jurisdiction-specific addenda

California (CCPA / CPRA), Brazil (LGPD), Quebec (Law 25) and UK GDPR addenda are placeholders — contact privacy@moldlean.com if you require an applicable addendum.

16. Contact